How to build a strong DevSecOps culture: 5 tips

How to build a strong DevSecOps culture: 5 tips

The most secure organizations treat security as a culture, not a step. Here’s how to nurture a DevSecOps culture of your own – and use metrics to gauge success

169 readers like this
CIO Security

4. Make the “sec” in security silent

“The key to a good DevSecOps culture is to remove as much friction as possible from processes,” Schmitt of Aporeto says. “I like to think that the ideal way to think about integrating security into DevSecOps is to make ‘Sec’ silent.”

To reduce friction, or make security “silent,” embrace automation in your security processes and tools.

That’s not necessarily to be taken literally; security should have a seat at the table and a voice, of course. Rather, this is where the technical pieces of your security posture come into play. For Schmitt, reducing friction, or making security “silent,” ideally means embracing automation in your security processes and tools.

“The ultimate incentive is enabling DevOps teams to implement security automatically as part of their everyday processes,” Schmitt says. He points to integrating security controls directly into the CI/CD pipeline and development tools as an example. 
You’ve got good options at your disposal, including plenty of open source platforms.

“From a technical perspective, a good place to start is to make sure each team is making use of available open source tools to perform security-related tasks,” says Cheslock at Threat Stack. “Configuration management tools have made the integration of operations and security a much easier proposition.”

5. Implement shared goals and KPIs

A strong DevSecOps culture that your team really buys into also depends upon eliminating conflicting performance incentives across different roles on the same team. A classic conflict in this category would be developers who are measured almost entirely by how quick and frequently they ship code, and security pros who are tasked with limiting vulnerabilities in production. One wants to move as fast as possible; the other is essentially motivated to slow everything down.

DevSecOps should be, in part, about getting people on the same page, working toward common goals – with shared responsibilities and metrics.

“It’s all about shared goals,” Cheslock says. “Give both DevOps and security teams a shared framework to work against. The [whole] team needs to understand that it’s now up to them to own security the way they once were expected to own user experience, reliability, and performance.”

Jerbi shares several key performance indicators as examples for measuring your DevSecOps efforts. Everyone should share in the responsibility for these measurements, not just the security team:

  • Number of app security issues discovered in production: You want this number, obviously, to decrease. “Issues discovered in production are issues missed during development, so this number should be minimized,” Jerbi says,

  • Percentage of deployments stopped/delayed due to failing security tests: “Again, ideally such issues should be resolved before deployment.”

  • Time to fix security issues: This is a longer-haul measurement that should decrease over time; it should be one of the rewards of a healthy DevSecOps culture, in that it reduces that effort and pain involved in resolving security issues when they do occur. “Hopefully, issues that are discovered pre-integration are easier and faster to fix so this is also a reflection of how well the team is performing,” Jerbi says.

If you’re just starting out, remember that improved security isn’t a check-off in a healthy DevSecOps culture, nor is improved security going to happen overnight. But shorter-term wins or milestones will help build and reinforce a healthy DevSecOps culture.

“Begin by tackling some low-hanging fruit to build trust,” Cheslock advises. “Identify some basic improvements in security hygiene that you’d like to see from the team – maybe password security or encryption – then build upon that. Each successful initiative gets security further ingrained in the culture of the enterprise.”

Want more wisdom like this, IT leaders? Sign up for our weekly email newsletter. 


7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Stephanie Overby
October 16, 2019

You may think everyone knows what big data is by now, but misconceptions remain. Get expert advice for discussing big data in plain terms with colleagues, customers, or any audience.

Submitted By Abbas Faiq
October 16, 2019

IT chief Abbas Faiq shares DevOps lessons learned, from change management to training, on PTC's road to faster software releases

Submitted By Carla Rudder
October 15, 2019

Leaders know that every person on a team has different motivators and pain points. Learn how to work with - and bring out the best in - everyone on your team with these books.


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.